5-star hotels rope in cyber auditors to curb data theft

Picture for representation purpose only.Four months ago, cyber criminals hacked into the computer network of a New Delhi-based international 5-star hotel chain and stole some 'loyalty points.'

The criminals then used the loyalty points to book air tickets and hotel rooms and then advertised in a leading national daily, offering them to unsuspecting buyers at half the usual rates. Thanks to a call from a guest, the data breach was discovered and in December, four people were arrested in Hyderabad in connection with the hacking.

"Had it not been for a member who called the 5-star hotel chain as he wanted to change his visiting dates, the hotel would never have discovered the fraud," a police officer from Hyderabad said. The hotel chain hired private investigators to look into the matter and unearthed the fraud.

The incident wasn't even a sophisticated attack such as DarkHotel, said people involved in the investigations, referring to malware that is surreptitiously installed in a hotel's IT system using its free WiFi to steal information from guests using the network. This case would have been pushed under the carpet and perhaps forgotten had it not been for a malware attack that infected hotels run by Hyatt International globally.

The US hotel chain said in December that its properties, including those in India, were hit by malware found on its customer payments system. In India, 20 of its hotels - 90% of its portfolio in the country - had been affected.

That was a wake-up call. Suddenly, all major Indian and global hotel chains scampered to conduct cyber audits to analyse and study weak spots in their information technology systems.

Industry experts said that as hotels adopt more tech-heavy operations for their loyalty programmes and check-in systems, they become increasingly vulnerable to sophisticated cyber-attacks. With their high-profile guests, hotels have been added to the list of potential cyber-crime targets.

"Even IT systems at kirana stores would be better," said a private investigator who undertook one such audit. "So not only is everyone staying at these hotels and connecting their phones or laptops vulnerable, but even these hotels could keep facing data breaches."

Moreover, most hotel chains still use run-of-the-mill legacy IT systems, which are an easy target for savvy cyber criminals.

"What such companies need to do is to build a comprehensive cyber protection programme that addresses the specific cyber and data leakage risks prevalent in the hospitality sector," said Dhruv Phophalia, managing director, India leader, global forensics and disputes, Alvarez & Marsal.

During the investigation in a New Delhi-based 5-star hotel, it was found that a suspected cyber criminal was providing free WiFi access inside the hotel with the help of a dongle.

"He had just misspelt the hotel's name. So someone searching for a Wi-Fi network could see even this network. Many people were even connected," the investigator told ET. Industry experts said the cyber criminal could easily access all the information of anyone connected to the network, including downloaded files, folders, emails and social-networking sites.

"Five-star hotels offer hackers a rich hunting ground because of their high concentration of C-suite executives. So if a cyber-criminal is able to gain access to their WiFi or wireless systems, they not only gain access to most of the CXOs information but even the IT systems of the company where the senior executive is working," said Sivarama Krishnan, leader, cyber security, at PwC India.

In 2015, Hilton Worldwide, Starwood Hotels, Mandarin Oriental and Trump Hotel Collection, along with Hyatt, were all hit by payment information breaches.